WordPress DDoS Attack – Understanding DOS Exploit & Protection

Wordpress Ddos Attack - Protection and tips to prevent

WordPress DDoS Attack Protection

DDoS attacks can cause serious economic damage and lead to the total unavailability of a website. But what is a DDoS attack? How can you secure your WordPress website against DDoS attacks and how to prevent DOS exploit?

? What is a DDoS attack?

DoS / DDoS attacks, or (Distributed) Denial of Service attacks, occur when a hacker floods a website with too much traffic for it to handle, causing it to slow down or shut down altogether. According to Akamai’s Q1 2016 report, there has been a 125.36% increase in total DDoS attacks from Q1 2015.

Let’s start by explaining what a DoS attack is (denial of service). This is a situation in which a computer system cannot provide the service that you (the user) expect from him.

This may be due to an unintentional error in a program, but most of the time these are situations where access to servers, devices, services, networks, applications, or even specific transactions within applications are intentionally made impossible by individuals such as hackers or activists.

While in the case of a DoS attack, there is only one system that launches the attack, in the case of a DDoS (Distributed Denial of Service) attack, the attack will come from different systems.

 ddos_attack_works

Specifically, the attacked system is overwhelmed by a huge amount of data queries. A web server will receive many requests to display a page, so that he can not handle these requests and he succumbs to the attack. It can also be a database that receives so many requests to process that it no longer manages to handle them, to the point of slowing down or even crashing.

As a result, normal queries no longer reach the database or the web server, and the user can no longer obtain the desired information. False requests use all the available bandwidth and cause CPU/RAM saturation.

Also ReadWhat is WordPress Malware Redirect Hack?

?What is the role of a botnet in a DDOS attack?

DoS and DDoS attacks have been around for over 20 years. The first attack that was mentioned in the press dates from the year 2000 when a student called Mafiaboy’s Rivolta managed to paralyze sites such as Yahoo, Amazon, CNN and eBay.

In October 2016, a major ISP, Dyn DNS, was the victim of a DDoS attack that caused serious service problems with Amazon, Netflix, Reddit, Spotify, Tumblr and Twitter.

However, attacks are becoming more powerful. By the end of the 1990s, 150 queries per second were enough to crash a system. During the attack on DynDNS, this amount had risen to 1.2 TB of fake requests per second, and in a recent attack against Github, 1.35 TB of fake requests per second.

DDOS attack map

(sourcedigitalattackmap.com )

This impressive number of false requests from various sources is only possible through the use of “botnets”. These are computer networks on which hackers, unknown to their owners, have installed software that suddenly come into action during the attack. We also talk about zombie machines, which obey botnets, like sheep that follow their shepherds.

When attacking DynDNS, it’s the Mirai botnet that was used. It included more than 100,000 IoT devices, including IP cameras and printers.

Such botnets are offered for sale or rent on the dark web, ready to use!

If you want to know more about the different types of DOS attacks (like SYN flood, UDP flood, Death Ping, etc.), this article will provide you with lots of very useful information on the subject.

? Who launches DDoS attacks and why?

You are very probably wondering why someone would launch such an attack. The answer to this question is multiple. Some just do it “for fun” because it’s possible and it boosts his reputation as a hacker. Others act for purely criminal purposes, such as extortion. They attack a website and ask for money to stop the attack.

And once this attack is successful, they can threaten other companies: “pay or the same will happen to you!”. This way of proceeding is comparable to that of mafia and their “protection money”.

They may also be individuals or groups acting for personal reasons. And it is even possible that attacks are sponsored by the Government against systems of other countries.

DDoS Attack botnet

? What does hosting companies do to protect you from DDoS attacks?

For starters, a good hosting company has a huge advantage: the extent of its network. While attacks on the servers of small hosting companies would immediately block the network, hosting companies are able to spread traffic fake requests on a large network.

You can compare this to a single-lane road, which is suddenly confronted with huge traffic and where traffic is thus completely at a standstill, and a 100-lane road, which is able to cope with traffic. increase in traffic without any problem.

Malicious traffic is blocked and legitimate traffic is filtered then sent to the correct destination. Thus, even during a DDoS attack, your visitors can access your website or application without any problem.

DDoS Attack types

WordPress DDoS Protection

? Tips To Secure your WordPress site from DDoS attack

WordPress, unfortunately, doesn’t have built-in features to protect against DDoS attacks — and it’s not easy to achieve via a plugin either. One of the best ways to protect WordPress site from DDoS attack  is with a host that has protection built into the network, filtering malicious traffic before it even hits your routers or servers. Here we are going to discuss the notion of WordPress DDoS attack, or denial of service attack, which is increasingly mentioned in the media. But what is it, then? What advice to protect yourself?

There are two types of attacks:

  • undistributed and distributed.

The former can be countered by a simple IP ban; the seconds, coming from many more sources that are virtually impossible to counter during the attack. However, a few simple safety rules applied upstream will help to avoid this threat as much as possible.

WordPress DDoS Protection - Secure your WordPress site from DDoS attack

? Change Your DNS Settings (Incapsula)

Your DNS settings normally direct visitors directly to your website. You need to change them to direct traffic to Incapsula’s servers instead.

That involves making the following changes in your cPanel’s Advanced DNS Zone Editor:

 secure-your-wordpress-site-from-ddos

  • Change your A record to point to Incapsula’s IP address
  • Add a second A record to point to another Incapsula IP address
  • Update (or create) a www CNAME record to also point to Incapsula.

DNS changes may take 48 hours to propagate, but your website will stay live during the changeover. After that your website’s traffic will be routed through Incapsula’s network, and you’ll be protected from DDoS attacks.

? Choice Of Host And Scanner

The choice of the host and scanner, who can offer the services to counter the different types and techniques of attacks. A reputed host would offer several techniques to protect websites, such as mitigation, which can filter the “illegitimate” traffic represented by botnets, or aspiration, which uses the power of data centres to treat all of queries so as not to disrupt the website.

In addition, WP Hacked Help has also put in place a variety of WordPress security mechanisms to detect and respond to WordPress DDoS attacks in a timely manner. Another option WP Hacked Help offers you is the anti-DDoS cleaning option through scanning.

Its operation is simple: as soon as malicious traffic is detected, WP Hacked Help reports it to you, then redirects traffic to troubleshoot, where tools determine whether it is legitimate traffic or not.Wordpress Website DDOS attack Hacking

? WordPress DDoS solutions

Solutions like Cloudfare will distribute your data on several servers in the world, to allow permanent access. Rather intended for sensitive or busy sites, they are also based on the principle of decentralisation. Other DDoS solutions geolocate users effectively, in order to block the flow from such a country or region, 

? Set Up A Mirror

The establishment of a mirror site. A true copy of your website on another domain (for example by also buying the .com or .net domain). This procedure must, of course, be done upstream. Several WordPress plugins automate this process, including wp-mirror.

Prepare a light version of the site. Several sites have already implemented their lightened versions during some big influences (result of an election, major event), to have a lighter structure to load, thus relieving bandwidth. But this version is generally less aesthetic.

? Install automatic alert systems

Set up and prepare a “whitelist” in order to restrict access, when necessary, only to technicians and administrators of the site, for example for maintenance operations.

Install effective and automatic alert systems, to make the first interventions automatically. This implies a good knowledge of the network by administrators, who must also know how to identify and authorize legitimate traffic.

How to Prevent DDoS Attacks on WordPress site?

? Find and Fix Vulnerabilities in WordPress

Problem remains that WordPress is prone to vulnerabilities and some of the exploits are very easily utilised by DDoS attackers. Dos attack prevention is a tough job. But, they say it’s better to be safe than sorry.

The best you can do to reduce the threat of DDoS attacks is by fixing vulnerabilities in your WordPress sites such as WordPress Arbitrary File Deletion VulnerabilityWordPress REST API Vulnerability and many more, along with following tips to secure your wordpress site and Setup WordPress Two-Factor Authentication

Suppose for a moment that the requests your website receives are as follows:

152.65.171.11 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=11973-18160-4434 HTTP/2.0" 200 8950 "-" "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.12154 Safari/537.40"
32.55.10.14 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=12974-18576-27383 HTTP/2.0" 200 8955 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; WOW64; Trident/6.0)"
159.65.156.160 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=13055-12525-19160 HTTP/2.0" 200 8955 "-" "Mozilla/5.0 (Windows NT 9.0; Win64; x64) AppleWebKit/141.36 (KHTML, like Gecko) Chrome/36 Safari/537.36"
47.55.13.13 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=13060-440-2062 HTTP/2.0" 200 8940 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/375.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.37"
201.10.17.15 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=13831-6592-5705 HTTP/2.0" 200 8945 "-" "Mozilla/5.0 (Windows NT 7.0; Win64; x64) AppleWebKit/144.36 (KHTML, like Gecko) Chrome/19 Safari/537.32"
45.169.67.15 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=14737-26600-23381 HTTP/2.0" 200 8955 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
68.183.175.2 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=14817-6999-8812 HTTP/2.0" 200 8945 "-" "Mozilla/5.0 (Windows NT 5.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/11.0 "
41.10.60.15 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=16747-3280-27284 HTTP/2.0" 200 8950 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
159.68.170.15 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=17385-12079-19913 HTTP/2.0" 200 8955 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
163.55.60.15 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=20176-22092-10087 HTTP/2.0" 200 8955 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/101.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/587.31"
19.156.10.165 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=20378-3097-24832 HTTP/2.0" 200 8950 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.) Gecko/20150101 Firefox/66.0 "
186.11.60.13 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=21147-27226-26924 HTTP/2.0" 200 8955 "-" "curl/7.1
14.99.11.2 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=21478-11397-31330 HTTP/2.0" 200 8955 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebit/126.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.12"
11.65.55.3 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=25692-23013-20062 HTTP/2.0" 200 8955 "-" "Mozilla/5.0 (Windows NT 9.0; Win64; x64) AppleWebKit/333.36 (KHTML, like Gecko) Chrome/14.0 Safari/557.01"
33.32.158.165 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=26413-23770-32319 HTTP/2.0" 200 8955 "-" "Mozilla/5.0 (compatible; bingbot/1.6; +http://www.bing.com/bingbot.htm)"
13.55.60.15 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=26523-9017-6348 HTTP/2.0" 200 8945 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/527.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
152.65.171.169 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=26909-30927-7354 HTTP/2.0" 200 8950 "-" "curl/7.58.0"
162.11.14.15 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=32112-28532-15792 HTTP/2.0" 200 8955 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/100.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
64.16.88.15 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=4017-25004-8181 HTTP/2.0" 200 8945 "-" "curl/7.33.0"
122.15.158.165 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=431-14829-8710 HTTP/2.0" 200 8940 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/64.0 "
37.55.65.15 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=4471-10241-3399 HTTP/2.0" 200 8945 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.16 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
45.55.88.15 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=489-30164-14756 HTTP/2.0" 200 8945 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/532.36 (KHTML, like Gecko) Chrome/71.0.3626.121 Safari/537.36"
45.26.60.88 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=6114-31830-6800 HTTP/2.0" 200 8945 "-" "curl/7.11.0"
23.68.158.165 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=6480-3069-4171 HTTP/2.0" 200 8940 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/587.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/214.36"
14.13.60.15 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=6777-8027-10654 HTTP/2.0" 200 8945 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/12 Safari/511.36"
159.63.10.169 - - [11/Mar/2019:14:36:08 -0400] "GET /?s=8690-15927-13372 HTTP/2.0" 200 8950 "-" "curl/7.22.0"

These search requests are coming from different IP addresses and user agents–there is no pattern. You see lots of requests per second. Your website is hosted on a very limited hosting plan and resource usage is skyrocketing. Don’t panic and proceed!

CPU-and-Memory-Usage

Here you will find the most effective and the most popular strategies to defend your website:

Further Reading :

How To Export WordPress Database Via PhpMyadmin + Plugins

How To Optimize & Repair WordPress Database

How to Ensure Safety Of WordPress Theme

How To Disable Directory Browsing in WordPress Via .htaccess & Plugins

? Apply rate limits to WordPress

Limit the bridge to the castle by applying rate limits, which are rules for controlling traffic. This requires a special module installed on your web server to control the traffic on a specific part of your website. You can use the modules:

  • mod_security,

  • mod_evasive,

  • ngx_http_limit_req_module

  • Or you can use special software such as fail2ban. Consult your hosting provider if you do not know how to proceed.

It is also possible to achieve the same goal by using plugins on your website, but this would usually imply that the plugin should monitor everything that is viewed and thereby generate an additional load on your hosting plan, which we are precisely trying to avoid.

Change the query string “/? S =” in WordPress

Deceive the attacker by modifying the query string “/? S = “

Remember that hacker can easily discover the new search URL or if the hacker uses the search field of your website as a target, changing the search URL would have an effect.

? Replace the WordPress search engine

Combine your specialised strategies by replacing the WordPress search engine with a professional search service such as Algolia, SearchIQ or any other external search service.

These external services have their own infrastructure and they:

  1. have native protection against wordpress brute force attacks,

  2. offer more filters for a refined research experience,

  3. speed up search queries.

Most of these professional search services offer a WordPress plugin that can replace the original search system in a seamless way, usually with a simple click and no code change.

? Disable the WP search feature

Close the castle doors by disabling the WordPress search feature if your website does not need it. A good idea would be to use the Disable-Search WordPress plugin.

If you do not want to use a plugin, you can use a security rule on your .htaccess OR nginx.conf file to block access to “/? S = “, for example:

# BEGIN Block WordPress Search
RewriteEngine On
RewriteCond %{QUERY_STRING} ^s=([^&]+)$ [NC]
RewriteRule ^(.*)$ - [F,L]
# END Block WordPress Search

? Use a Web Application Firewall (WAF)

WAF is able to stop the attack just after activation by using pattern recognition algorithms, very powerful network and specially crafted filters.

  1. Install a cloud-based website firewall and let it do the rest for you:

  2. proven combat technology,

  3. a proactive team behind her with years of experience in the field,

  4. to be ready to face anything,

  5. protecting the website against wordpress vulnerabilities you did not even know existed,

  6. and a lot.

? Disable XML-RPC in WordPress to Prevent XML-RPC Abuse

The XML-RPC protocol, or XML Remote Procedure Call, allows remote access of web services to a WordPress site since version 2.6.

This can allow:

  • to connect to a WP site with a SmartPhone

  • activate TrackBacks and Pingbacks

  • to use Jetpack in a very advanced way

  • to use the Windows Live Writer software

  • to link third-party services (Buffer, IFTTT, etc.)

A useful feature but only here, this API is aging and exposes your site to many vulnerabilities (brute force attacks – HTTP Flood attack, denial of service attacks – DDoS)

By thus extending the functionality of WordPress, you greatly increase the chances of being hacked!

To stop your WordPress website from being misused, you will need to disable the XML-RPC (pingback) functionality on your site.

A better way to block it is by creating a plugin that adds the following filter:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
 unset( $methods[‘pingback.ping’] );
 return $methods;
 } );

? How to protect against attacks by XML-RPC?

For smart guys who would like to simply delete the xmlrpc.php file from WordPress, know that this is not a good idea!

This file is part of the WordPress source code. This can cause errors, and in any case, it will reappear at the next update.

Here are 4 ways to block this protocol in addition to this article :

Disable xmlrpc via the functions.php file

1.....add_filter ('xmlrpc_enabled', '__return_false');
// disable x-pingback HTTP header
2......add_filter ('wp_headers', function ($ headers)) {
unset ($ headers ['X-Pingback']);
return $ headers;
});
//
3.......disable pingbacks add_filter ('xmlrpc_methods', function ($ methods) {
unset ($ methods [pingback.ping]);
return $ methods;
});
3..........remove_action ('wp_head', 'rsd_link');
Disable XML-RPC via the wp-config.php file
add_filter ('xmlrpc_enabled', '__return_false');

4……….Disable XML-RPC via a plugin – Eazy XMLRPC Disable Pingback

In this case, nothing really complicated, just download the plugin, activate it and possibly set some parameters to protect!

? IP Blocking – Surveillance Against DDOS Attacks

If you are running on your own server, the next step would probably be to install an IP blocking or firewall plugin.

In the case that a DDoS attack slips through, you may notice that your pages are loading slowly and have time to block the bad IP address ranges before your website goes completely down.

IP Geo Block – WordPress plugin 

Check your website out every day by doing a scan through the main pages. If you notice anything out of place, go ahead and assume that something is wrong and take measures to block any suspicious traffic.

Again, make sure that your web host is a good web host that takes security measures to help protect your website against DDoS attacks, as well. If they don’t, or if you notice you keep getting DDoS attacks, it may be time to switch web hosting providers.

? Update Your WordPress Version Regularly

One thing that most of us get by using WordPress is the idea that it is regularly updated with better security enhancements owing to contributors and a vibrant community.

Things to update:

  • WordPress installation
  • WordPress themes
  • WordPress plugins
  • PHP version on the server
  • Apache versionMySQL version
  • OS version
  • Any other script or software which you use

Apart from updating your WordPress Versions and its related elements, maintain all the server side updates.

? Get in Contact with Your Web Host

You should get in touch with web hosts and discuss if the servers and network hardware are updated with the newest versions of the software. Also, you should discuss what security measures that your web hosts provide

  • SFTP & SSH Access
  • Application Level Firewall
  • Operating System Firewall
  • Auto backups, Server Cloning, and Auto-Healing
  • Dedicated IP on Cloud Server
  • Auto updates and patches of OS and services
  • Application updates and notifications

? Use Plugins To Protect Against DDOS WordPress

Configuring a security plugin can add a layer of defense to your WordPress website. We prefer to make use of our wordpress scanner as we actively monitor and prevent against DDoS attacks happening worldwide on WordPress websites.

WordPress already has several plugins to help you protect yourself against a DDoS attack. Loginizer limits the amount of times someone can try logging into an account before their IP address gets blocked from your website, which is helpful in preventing brute force attempts as well as attempts to flood and confuse your server with login traffic.

The WordPress Security plugins assist further by blocking traffic that is demanding too many connection requests at once, as well as setting up blacklists of bad IP address ranges that have been found to have malicious intent.

However, plugins shouldn’t be your only choice for protecting your website from DDoS attacks. Many plugins go neglected by their developers and lack up to date security measures to keep your website safe.

Also Read –  Best WordPress Security Plugins 2019 [Updated List]

Security plugins do take a chunk out of your web servers, as their scripts utilise a great deal of resources to monitor various security threats that your particular WordPress website facing.

Hardening your website security especially those that run WordPress should be your top priority now. It will assist in lessening the DDoS threat level as it decreases the number of vulnerable WordPress resources available to the attacker.

Wordpress DDOS attack prevention

Conclusion:

The economic damage resulting from the temporary inaccessibility of a site or a web service due to a WordPress DDoS attack can be enormous. The techniques used for DDoS attacks are becoming more sophisticated and require a higher level of vigilance or protection against these attacks. Our experienced staff follow these developments very closely and use the latest methods of defence as quickly as possible. You are thus guaranteed that your website will remain accessible.

WordPress DDoS protection is an integral part which you get by default with your package. WP Hacked Help sets up a real shield around your WordPress, at different levels, to protect both your application, the operating system and the network. The protection offers protection against brute force attacks and SQL injections.

Further Reading :

How To Remove Malware From WordPress

WordPress Malware Removal Checklist – 2019 Security Guide

WordPress Maintenance Checklist

How to Scan & Detect Malware in WordPress Themes

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)